libressl bug roundup

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

libressl bug roundup

Stuart Henderson
Currently known libressl problems:


#1: https://bitbucket.org https://mirror.vdms.com https://ftp.postgresql.org
fail with:

Error: error:14FFF3E7:SSL routines:(UNKNOWN)SSL_internal:unknown failure occurred


#2: The "Provide struct/functions for handling TLSv1.3 key shares" commit breaks
server side for non-libressl clients, including if 1.3 is disabled. ssl alert,
decode_error.  This is nasty for servers on -current.

backout:

cd /usr/src/lib/libssl
ftp -o- 'https://github.com/openbsd/src/commit/4673309b7add502ba4c75a5eed0b550a38c0a8b1.patch' | patch -R


#3: libtls session resumption is broken with 1.3. This is used by default in
pkg_add and breaks 5 openbsd mirrors. tb@ has a diff or we can disable "-S
session" in pkg_add for now if needed.

rm /tmp/sess
ftp -S session=/tmp/sess -o/dev/null https://cloudflare.cdn.openbsd.org/pub/OpenBSD/
ftp -S session=/tmp/sess -o/dev/null https://cloudflare.cdn.openbsd.org/pub/OpenBSD/


If you are running into big problems with #1 and #3 rebuild libssl with
"#define LIBRESSL_HAS_TLS1_3_CLIENT" commented out in ssl_locl.h.

Reply | Threaded
Open this post in threaded view
|

Re: libressl bug roundup

Stefan Sperling-5
On Sat, Feb 01, 2020 at 11:19:21AM +0000, Stuart Henderson wrote:
> Currently known libressl problems:
>
>
> #1: https://bitbucket.org https://mirror.vdms.com https://ftp.postgresql.org
> fail with:
>
> Error: error:14FFF3E7:SSL routines:(UNKNOWN)SSL_internal:unknown failure occurred
 
This also affects outgoing SMTP over TLS; my mail queue got stuck for a
few days until I noticed the problem:

smtpd[46258]: c5b0f4075ab238a4 mta error reason=IO Error: error:14FFF3E7:SSL routines:(UNKNOWN)SSL_internal:unknown failure occurred
smtpd[46258]: smtp-out: Disabling route [...]

Reply | Threaded
Open this post in threaded view
|

Re: libressl bug roundup

Joel Sing-3
In reply to this post by Stuart Henderson
On 20-02-01 11:19:21, Stuart Henderson wrote:
> Currently known libressl problems:
>
>
> #1: https://bitbucket.org https://mirror.vdms.com https://ftp.postgresql.org
> fail with:
>
> Error: error:14FFF3E7:SSL routines:(UNKNOWN)SSL_internal:unknown failure occurred

This is a known issue related to Hello Retry Requests - I have code
ready to address it, however it still needs finialising and review.
In the interim I've disabled the TLSv1.3 client and we'll re-enable
it once the currently known issues have been addressed.

> #2: The "Provide struct/functions for handling TLSv1.3 key shares" commit breaks
> server side for non-libressl clients, including if 1.3 is disabled. ssl alert,
> decode_error.  This is nasty for servers on -current.
>
> backout:
>
> cd /usr/src/lib/libssl
> ftp -o- 'https://github.com/openbsd/src/commit/4673309b7add502ba4c75a5eed0b550a38c0a8b1.patch' | patch -R

I've just committed a fix for this.

> #3: libtls session resumption is broken with 1.3. This is used by default in
> pkg_add and breaks 5 openbsd mirrors. tb@ has a diff or we can disable "-S
> session" in pkg_add for now if needed.
>
> rm /tmp/sess
> ftp -S session=/tmp/sess -o/dev/null https://cloudflare.cdn.openbsd.org/pub/OpenBSD/
> ftp -S session=/tmp/sess -o/dev/null https://cloudflare.cdn.openbsd.org/pub/OpenBSD/

There are a couple of bugs here, however it should no longer be an
issue with TLSv1.3 client disabled.

> If you are running into big problems with #1 and #3 rebuild libssl with
> "#define LIBRESSL_HAS_TLS1_3_CLIENT" commented out in ssl_locl.h.
>